Month: December 2015

I recently got the new Cisco 5506-X and I thought to benchmark the WAN speed on it and see what it can actually push. I got 3 x 100mb WAN links and connected them in and assigned 3 outside interfaces and decided to run a 5GB speedtest file on each link terminating. I used the PBR (Policy Based Routing) on the device to and some access lists to forward traffic where I wanted it to go.
Here are some of the specs of the 5506-X using show version:

Upon testing and maxing the speed at 300mbit across 3 interfaces, the CPU on the device reached to 67%. This is only with the firewall on, and no other features turned on such as the Firepower. Upon looking at the Cisco documentation they mention at minimum it will do is 750mbit for firewall performance. If 3 WAN links @300mbit already reach 67% CPU, if I did add another link it, the CPU will nearly be maxed out at 400mbits. In my opinion, I think the 750mbits will not be reached or very difficult to get to as the CPU on the device will be quite high and packets might start getting dropped. Anyone else done speedtesting on it? Let me know your thoughts!

Here is a screenshot of the WAN performance of the ASA 5506-X @ 300mbit.

I finally managed to get NBN Fiber activated at my place. I have purchased a Cisco 5506-X to service the NBN Link to terminate 2 x 100/40mb services as this is the max available speed per carrier. I plan on using the Policy Based Routing function on the Cisco 5506-X to load balance the links a bit and setup traffic types and how it should flow. I will later document my config of the Cisco and the funky type PBR I have setup on it. The NBN box offers 2 voice ports and 4 ethernet ports. The 4 Ethernet Ports can provide up to 4 ISPs to service the traffic to your premise. Since I have dual links at present techincally I have a 200/80 link load balanced on the ASA which is quite nice 🙂

Here are some of the photos of my setup and how its functioning, in a later post I will go through the 5506-X configuration.

Hello again, i thought I might make some further updates to my blog and what has been happening recently. A few months ago I decided that I wanted to replace my Cisco ASA5505 with something newer that offered gigabit ports and somewhat stronger firewall etc. At work we have removed Cisco from the firewall infrastructure and replaced it with Checkpoints, so I thought checkpoint is the way to go. The device I purchased was Check Point 680 + Wi-Fi + ADSL + 3 Yr [CPAP-SG680-NGTP-WDSLA-W-3Y-BUN] with a 3 year support agreement. It costed me about $1515 AUD, and upon talking to the Checkpoint reseller this device would be able to handle 100mbit link as I was going to be upgrading to a 100/40 NBN Fiber Service in Australia, and probably having dual 100/40 links terminating into this device.

Upon opening everything and getting it up and running, it was a breeze and simple and looked very impressive. Upon starting to download my first 5GB speedtest file from a HTTP server, and all the blade modules turned on, with AV, IPS, Firewall, Spam etc, the device severely underperformed and I was only able to achieve 30-40mbit. When checking the CPU on the device it was reaching 100% and everything was so unresponsive. I then turned off all the blades except the firewall and it only managed around 60mbit which again is very poor. The specification sheet shows clearly this device can handle 1.5Gigabits of throughput traffic when firewalled, try about 60mbit instead, quite pathetic from Checkpoint. Even when doing the large file transfer, pinging the checkpoint device itself inside the LAN was slow and unresponsive with pings 500+ ms which was crazy. I complained to the reseller this device is not worth the price I paid for as the speed is awful, and they got me intouch with a local checkpoint engineer. The engineer advised to upgrade the software on the device with a later one, so I did but still performance was bad and certainly nowhere near impressive to a Cisco ASA. He advised to consult with checkpoint directly and see what they can do.

I logged a case with checkpoint directly, telling them this device does perform as per specifications and has severe issues in terms of performance and it cannot handle a 100mb WAN link. This is the conversation I had with them as per below:

2:22 PM Checkpoint : Can you pass the FTP file now?
2:22 PM Customer: ok
2:23 PM Checkpoint : It looks ok
2:23 PM Customer: see the pings to the gateway
2:23 PM Customer: when i login to web interface
2:23 PM Customer: pings go up
2:23 PM Customer: like crazy
2:24 PM Checkpoint : What happens when you ping through the appliance, and not directly to it?
2:25 PM Customer: same thing
2:26 PM Customer: all the pings increase
2:26 PM Customer: i use also cisco asa 5505 dont have such issue
2:26 PM Customer: when i swap
2:27 PM Checkpoint : That’s an expected behavior since the appliance Web UI logging take the most CPU
2:27 PM Customer: yes but it shouldnt affect speeds and latency
2:28 PM Customer: for everyone while im browsing the appliance
2:29 PM Checkpoint : When logging the device Web UI the SFWD process CPU jump and of course it impact latency and performance
2:29 PM Checkpoint : What is the device firmware version ?
2:29 PM Customer: but for a device of this price
2:29 PM Customer: that shoudl not be a problem
2:31 PM Checkpoint : I understand but I can confidently say it’s a normal behavior
2:32 PM Customer: yeah well i disagree with that
2:32 PM Customer: i have a 5 year old asa
2:32 PM Customer: the pings do not jump
2:32 PM Customer: to the gateway
2:33 PM Customer: see im not even touching just transferring files
2:33 PM Customer: and pings increase
2:33 PM Checkpoint : You don’t need too, as long as you connected to the web UI the httpd watchdog eats the CPU
2:33 PM Checkpoint : I know
2:33 PM Customer: and then i turn on all the features
2:33 PM Customer: and initiate my transfer
2:33 PM Checkpoint : I might have workaround that may improve the device performance
2:33 PM Customer: it kills the device
2:34 PM Customer: and doesnt respond
2:34 PM Checkpoint : Want to try it ?
2:34 PM Checkpoint : I can send you a link for the new version that might improve the device’s performance
2:35 PM Customer: ok but the checkpoint engineer said to use this one as its latest
2:35 PM Customer: is there one newer than 77.20
2:36 PM Checkpoint : There is a new version that released two days ego and it contains a fix that might can improve the performance
2:37 PM Checkpoint : And this is the best effort I can do regarding this issue
2:37 PM Checkpoint : Would you like to test it ?
2:37 PM Customer: ok
2:37 PM Customer: whats the changes in the new version
2:38 PM Customer: what does the R&D think about this ?
2:38 PM Checkpoint : Wait a second I need to check few things
2:41 PM Checkpoint : I’m sorry , I just rechecked the device features cannot handle with high speed such you using 100MB
2:41 PM Checkpoint : I doubt if the new version will make any difference
2:42 PM Customer: so what handles 100mb with all the features on?
2:43 PM Checkpoint : A strong Check Point device but not the 600

So there as you see above, proof a Checkpoint 680 cannot handle high speed WAN links, so do not buy one! Luckily I was able to return it and get a refund, as the price for it $1500+ is certainly not worth it.